In certain circumstances, desktop antivirus programs may detect viruses in the Windows System Restore directories. When this happens, the program will not be able to clean the detect virus, since those directories are protected by the system and cannot be tampered with. A user faced with such a problem—an apparently uncleanable virus—may panic without knowing what the real problem is.
Many viruses masquerade as system files or install themselves into directories that are monitored by System Restore. Consequently, running a virus scan can reveal the presence of a virus in the System Restore repository for a volume, a folder named System Volume Information. System Restore points are saved into these folders, and depending on the amount of space allocated for System Restore on a given volume, old copies of viruses no longer present in the system directories themselves may be preserved in a System Restore point.
This is not in itself a problem unless the user restores to one of those points, in which case the virus will be free once again to do damage. The only way to remove the virus is to empty out the System Restore folder—by turning off System Restore for all drives, rebooting, and then turning it back on again. This will cause all the System Restore points to be deleted, but a fresh one will be created at the next shutdown. (If the system is in generally good shape barring the presence of a virus in the System Restore repository, erasing the System Restore folder is usually not that big a loss.)
Editor's Note: SearchWin2000.com reader Dan Dahlberg suggests an alternative solution. He says, "This can also be resolved by booting to Safe Mode, making System Folders accessible through Folder Options and running the virus scan on the System Volume Information folder. This allows you to keep your System Restore directories which may come in handy since you're obviously battling viruses."
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!
This was first published in July 2004